Surprise! Scans Suggest Hackers Put IMSI-Catchers All Over Defcon

Hackers gonna hack.

As well as a great opportunity to spy on some of the most talented security researchers, hacking conferences are naturally a hotbed for those looking to get up to a bit of mischief. Newly published data suggests a load of fake cell phone towers, or IMSI-catchers, popped up around the Las Vegas strip during the Defcon conference earlier this month, likely set up by attendees.

Geoffrey Vaughan, a security researcher and engineer, conducted scans using an IMSI-catcher detection app before and during the conference, and dumped his results this week.

"I just wanted to get the data out as quickly as possible," Vaughan told Motherboard in a Twitter message.

Vaughan explains on Github that he stayed in Las Vegas from July 31 to August 7, split between the Augustus Tower at Caesars Palace and the Paris Hotel. During that time, he walked around the strip, went shopping with his wife, took a limo cruise with his employer, and of course went to Defcon, which started on August 4. Vaughan also visited the Blackhat hacking conference, but just for a day, he adds.

According to one screenshot Vaughan published, there were eight GSM towers around the Bally's and Paris hotels, where Defcon is held, before the conference. Between August 4 and 8, there were around 38 in the same area.

These screenshots show a scan by Vaughan before Defcon (left) and during (right). Images: Geoffrey Vaughan

"The observations show significant increase in the number of towers in the area. There are a couple potential 'reasonable' explanations (like maybe there are towers on multiple floors throughout the building) but at the least I think it is reasonable to conclude that there were at least a few malicious GSM devices at the conference," Vaughan writes.

IMSI-catchers, commonly known as Stingrays, are small devices that pretend to be a cell phone tower and force nearby phones to connect. Depending on the model, an IMSI-catcher may be able to obtain the SIM card's unique identifier or international mobile subscriber identity (IMSI)—hence, IMSI-catcher—or intercept text messages.

The presence of these devices at Defcon should not come as a surprise to anyone who has even a vague understanding of hacking conferences. Whether it's hackers sniffing packets on the hotel wifi or trying to intercept phone data, there's always someone ready to pwn you every summer in Las Vegas.

Vaughan's analysis is not complete yet. "I need to go a little deeper still to see if there are any false positives, or if GPS accuracy created duplicates," he told Motherboard. But even with those caveats, it still appears that some of the cell towers will likely have been IMSI-catchers, he writes.

"There were definitely more towers during Defcon than before, as well as towers outside my hotel 'driving by' while I was staying at caesars," Vaughan added.